How can I create a database on my server from the web? - asp.net

I have an admin account for my website where I add new clients. When a new client is added, they get an account and their own database.
The problem is I can't create new databases on my server from my admin account. When running it locally, I can add a database locally. But, when I try adding to the server running my website off the server, I get
CREATE DATABASE permission denied in database 'master'.
I've been able to add the database (locally) a few ways. This is one of the simpler working versions:
tmpConn.ConnectionString = "Data Source=.\\SQLEXPRESS; DATABASE = master;Integrated Security=True;";
sqlCreateDBQuery = " CREATE DATABASE " + dbname;
SqlCommand myCommand = new SqlCommand(sqlCreateDBQuery, tmpConn);
try
{
tmpConn.Open();
myCommand.ExecuteNonQuery();
}
catch (System.Exception ex)
{}

I suspect that whatever account you're using to connect to Sql Server doesn't have permissions to CREATE DATABASE. You're probably using Integrated Security, which would use Network Service/ASP.NET to connect to MSSQL. You need to create a new connection string that uses Sql Authentication with sa (or another sysadmin) credentials.
Oh - and this would work locally because you're running it under Visual Studio's WebDev.exe which is run with your local user account - which is probably set up as a sysadmin in MSSQL.

You should contact your service provider. (Or the maintainer of the server).

You need create database and create database user permissions. Your service provider should be able to facilitate this.

Something else no one has suggested is what kind of validation you are doing on the dbname value. Are you sure there are no spaces in it? That it's not a reserved word? That it doesn't contain malicious code? At very least you should encase it in brackets:
sqlCreateDBQuery = String.Format(" CREATE DATABASE [{0}]", dbname);
I really hope you aren't allowing the user to type this name directly into a textbox somewhere. Even if you use property security on the initial input and this is pulled back from a common "clients" db of some kind, you might be setting yourself up for a 2nd order Sql Injection vulnerability.
After you've addressed that, we can look at the error message here. In this case, the problem is that your web user does not have appropriate CREATE permissions. You need to correct that and it should allow you to proceed. You probably want to reserve a special account for this that you switch to just at this time, so your application doesn't normally run in a context that would allow this kind of action.

Check the permissions for MySQL: Does your admin account have different settings for a local connection versus any host?

Related

Complains of a user that does not exist

I've specified the user of my application pool to be SERVER4\IUSR_SERVER4. And then I added this user to the SQL Server. But when I try to connect to the database I get the following error:
Server Error in '/BSHHD' Application.
Cannot open user default database. Login failed.
Login failed for user 'SERVER4\Administrator'.
What's driving me mad is there's no user named SERVER4\Administrator. What do I have to do in order to be able to properly connect to this SQL Server database from my website?
P.S. I think this is related with Membership authentication. Now I need to find out how Membership accesses SQL Server and where the login credentials are specified
The thing is, the app pool user is not necessarily the user you use to connect to MSSQL (as a guy in the comments already stated). After seeing your connection string, this is probably the case, and maybe, just maybe, the problem is not the user but it's default database.
I've had this error in the past: Try setting the user you use in the connection string (clerk's) default database to something else. This error is common when you've set a default database for a user before and now the database doesn't exist anymore or is having some problems.
You can change the user's default database using something like this:
Exec sp_defaultdb #loginame='clerk', #defdb='dok'
You can also use something like this but I've never used it:
ALTER LOGIN SQLLogin WITH DEFAULT_DATABASE = AvailDBName
Also, there's no need to set the integrated security to false because it is the default value already. I hope this helps =)

Moving SQL Server from local computer to server

I kind of new to SQL Server, I always used access db for my sites.
I created a SQL Server on my local computer and now I want to take this db and transfer it to the server. In access all I had to do is, take the mdb file and put it on the server and change the connection string. How can I transfer the SQL Server db to the server?
Is there any file to put on the server ?
Also the connection string isn't a folder but a local computer like this:
Data Source=my-PC;Initial Catalog=storeSQL1;User ID='my-PC\com';Password='';Trusted_Connection=YES;
Who can provide me this connection string for the server (the hosting company) ?
The easiest way would probably be to create a backup of the database on your local machine, then restore that backup on the new server.
Roadmap is:
Do simple backup-restore to move user databases to target server.
Create script on source server, that can recover permissions and login-users pairing
Restore the CLR and TRUSTWORTHY security for databases, that using unsafe assemblies, simpliest way is (in proper DB):
exec sp_changedbowner 'sa' --sa just for example
ALTER DATABASE dbname SET TRUSTWORTHY ON
Enjoy
Depending on your version of SQL Server here is a good article that outlines all the ways to move a SQL Server Database.
http://blogs.msdn.com/b/sreekarm/archive/2009/09/11/move-a-database-from-one-server-to-another-server-in-sql-server-2008.aspx
As for getting the connection string yes the hosting company would provide you with that. Where is the database hosted, you could check their knowledge base articles or if it's an in house data base I'm sure a dba could provide you with that information. It won't change much from what you have but it will change.
I'm not sure what tools your using, but to start you need to do a dump or backup of your current database on your machine. After you do that then you can do and import which should create all the tables and import any data you have.
After the data exists on the server then as far as the connection string, you just need to say the Data Source is the server ip address or host name and change your User ID and Pass to match that server.
If you need more details on any part of this process, post what tools your using and what your environment looks like and I would be more than happy to assist you.
In my opinion the best way to do that is to detach the db from one server(pc), copy the files to the second one and then attach them on the second server/pc.
To detach:
USE master;
GO
EXEC sp_detach_db #dbname = N'AdventureWorks2008R2';
GO
To attach:
USE master;
GO
CREATE DATABASE MyAdventureWorks
ON (FILENAME = 'C:\MySQLServer\AdventureWorks2008R2_Data.mdf'),
(FILENAME = 'C:\MySQLServer\AdventureWorks2008R2_Log.ldf')
FOR ATTACH;
GO

ASP to database connection

I am new to ASP. I have two databases production and developer databases.
I need to check developer site is going to developer database or not. Both databases have same data and same table names.
But i must work on developer database only how can I?
Generally you'd have an environment configuration file. If you're talking about ASP.NET then it would be the Web.config file. If you're indeed talking about classic ASP then it would probably be an included script with some constants.
If the databases are structurally identical (which they should be) then all you should need to change is the connection string. For classic ASP, you'd probably just store it in a variable:
Dim connString = "This is your connection string"
On the production server, the connection string would be set to your production database. On development machines, it would be set to a development database. (And so on for a test environment, etc.) All of the data access code would just use this connection string variable.
Even more to the point, this should not be the only thing that prevents a developer from using the production database. The DBA should set the permissions such that only the production application has only the access it needs to that database and others do not. Developers should never be able to accidentally modify the production database. So even if you did use the production connection string from your workstation, the database should simply deny you access.
Have two connection strings. Then create a constant variable which will act as your switch and pick the correct connection string:
Dim strCon
CONST DEVELOPMENT = true
if(DEVELOPMENT = true) then
strCon = "Development connection string"
else
strCon = "Live connection string"
end if
adoCon.open strCon
Then you can simply change the switch to true/false depending on which database to pick.
When you specify the database connection you know where you are pointing, so this should be straightforward. But it might be a good idea to use separate logins on dev and production.
So the answer is that you should use the connectionstrings in the config files to get what you need: the "database =.." setting should be set correctly and your problem is aolvedsolved To get extra certainty use different logins, which is recommendable in any case.
you can also use server tracing to monitor activity, but it is not easy on a multi user database and is only a diagnostics tool, not a cure.

How To Query A Database That's Being Used By Asp.Net

I have a Sql Server 2008 Express database file that's currently being used by an ASP.NET application, and I'm not sure how to query the database without taking the website down.
I'm unable to copy the database files (.mdf and .ldf files) to another directory, since they're in use by the web server. Also, if I attach the databases to an instance of the sql server (using the 'Create Database [DB name] on (filename = '[DB filename.mdf]') for attach;' command at the sqlcmd prompt), then the application pool user becomes unable to access the database (i.e. the webpages start producing http 500 errors. I think this might have to do with the username for the application pool becoming somehow divorced from the login credentials in the sql server database).
Any suggestions? I realize this is probably a newbie question, since it seems like a rather fundamental task. However, due to my inexperience, I really don't know what the answer is, and I'm pretty stumped at this point, since I've tried a couple of different things.
Thanks!
Andrew
if I attach the databases to an instance of the sql server (using the 'Create Database [DB name] on (filename = '[DB filename.mdf]') for attach;' command at the sqlcmd prompt),
Don't do this to a live database - it's attempting to be setup an MDF to be written to by two different databases...
Use Backup/Restore
As you've found, Attach/ReAttach requires the database to be offline - use the Backup/Restore functionality:
MSDN: Using SSMS to Backup the Database
MSDN: Using SSMs to Restore the Backup
Be aware that the backup/restore doesn't maintain logins (& jobs if you have any associated with the database) - you'll have to recreate & sync if using an account other than those with uber access.
Maybe Linked Server would work?
Another alternative would be to setup another SQL Server Express/etc instance on a different box, and use the Linked Server functionality to create a connection to the live/prod data. Use a different account than the one used for the ASP application...

asp.net run program with Administrator account

I need to run one console application from ASP.NET application using Administrator account and with Desktop interaction enabled. I have tried code below, console app runs ok but within NETWORK SERVICE account. Any ideas how to run console under Administrator account?
string enginePath = Server.MapPath(#"~/engine/MyConsole.exe");
System.Diagnostics.ProcessStartInfo info = new System.Diagnostics.ProcessStartInfo(enginePath, "");
System.Diagnostics.Process p = System.Diagnostics.Process.Start(info);
p.WaitForExit();
Regards,
Tomas
you could use impersonation, there is an example here
personally i dont like impersonation in asp.net, you need to deal with passwords either not being changed or changing them in code. Is there no way to run what you want as the asp.net user?
edit:
You could acyually impersonate the network service by using "NETWORK SERVICE" as the user name, that would at least allieviate the password issues a little,
Another user already suggested impersonation. If that's good enough, there you go. Like he said, though, there are some maintenance headaches to deal with and some security implications.
Some options that I've used in the past which may or may not be applicable in your situation are:
If the task is on a predictable schedule, just add it to the Scheduled Tasks in Windows, set the appropriate worker account (Administrator, or whatever), and let 'er go. I believe there are also ways to programmatically trigger a scheduled task, but I've never had to do that. A Google search should get you going.
Implement the console app logic as a service running under the appropriate account. Then have the service listen for a "trigger" from your web app--a file drop or something simpler.
Either way the idea is to avoid storing any credientials in your ASP page, and to not have to grant that process rights it doesn't need.
You can use a manifest file and built it into your console application that will instruct it to always run under an admin account. See this example.
If this doesn't work for you then you could try passing in Admin account credentials in the ProcessStartInfo property e.g.
string enginePath = Server.MapPath(#"~/engine/MyConsole.exe");
System.Diagnostics.ProcessStartInfo info = new System.Diagnostics.ProcessStartInfo(enginePath, "");
info.UserName = "Administrator";
info.Password = "Password";
System.Diagnostics.Process p = System.Diagnostics.Process.Start(info); p.WaitForExit();

Resources